diff options
| author | Michael Stahl <michael.stahl@allotropia.de> | 2021-10-15 20:52:47 +0200 |
|---|---|---|
| committer | Michael Stahl <michael.stahl@allotropia.de> | 2021-10-21 19:21:49 +0200 |
| commit | 874c02831fd2420b35b9719266ecec5d76707121 (patch) | |
| tree | a0a06394a2abd0f74cd25381d2faf9ab2de905e0 | |
| parent | d6c4807a8351c9ddde4a3358fe5a0e3ca95049e5 (diff) | |
xmlsecurity: fix test failing because NSS policy forbids SHA1
With Fedora's nss-3.71.0-1.fc34.x86_64 there is the problem that
8 tests including testODFGood in CppunitTest/xmlsecurity_signing
fail because the crypto policy disallows SHA1 for signatures.
Apparently this particular policy bit was added in NSS 3.59:
https://bugzilla.mozilla.org/show_bug.cgi?id=1670835
For signatures, maybe it's not a good idea to override system policy
for product builds, so do it locally in the tests, at least for now.
If similar problems turn up for encrypted documents in the future,
that should be fixed in product builds too of course, as encrypted
documents must always be decryptable.
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123768
Tested-by: Jenkins
Tested-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
(cherry picked from commit 51e82016e8783a452fe5f7921d12c1bf20bfd6b5)
xmlsecurity: fix --without-system-nss usage of NSS_SetAlgorithmPolicy
The problem with commit ff572d9222ec16ffd679ae907a0bf4a8900265e1
is that it's using the wrong library; NSS_SetAlgorithmPolicy is actually
in libnssutil3.so.
This causes a linking problem when upgrading the internal NSS to a
version that has NSS_USE_ALG_IN_ANY_SIGNATURE.
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123819
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
(cherry picked from commit 395c0c0bbaceadf909e0189af99c6358487c7978)
Change-Id: I4f634cf5da1707fb628e63cd0cdafebdf4fc903f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123841
Tested-by: Michael Stahl <michael.stahl@allotropia.de>
Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
| -rw-r--r-- | RepositoryExternal.mk | 26 | ||||
| -rw-r--r-- | xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk | 8 | ||||
| -rw-r--r-- | xmlsecurity/CppunitTest_xmlsecurity_signing.mk | 8 | ||||
| -rw-r--r-- | xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx | 16 | ||||
| -rw-r--r-- | xmlsecurity/qa/unit/signing/signing.cxx | 11 |
5 files changed, 69 insertions, 0 deletions
diff --git a/RepositoryExternal.mk b/RepositoryExternal.mk index a892a59452e3..0b935279e712 100644 --- a/RepositoryExternal.mk +++ b/RepositoryExternal.mk @@ -3454,6 +3454,11 @@ $(call gb_LinkTarget_add_libs,$(1),\ endef +define gb_LinkTarget__use_nssutil3 +$(call gb_LinkTarget__use_nss3,$(1)) + +endef + define gb_LinkTarget__use_plc4 $(call gb_LinkTarget__use_nss3,$(1)) @@ -3523,6 +3528,27 @@ endif endef +define gb_LinkTarget__use_nssutil3 +$(call gb_LinkTarget_use_package,$(1),nss) +$(call gb_LinkTarget_set_include,$(1),\ + $$(INCLUDE) \ + -I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss \ + -I$(call gb_UnpackedTarball_get_dir,nss)/dist/out/include \ +) + +ifeq ($(COM),MSC) +$(call gb_LinkTarget_add_libs,$(1),\ + $(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib/nssutil3.lib \ +) +else +$(call gb_LinkTarget_add_libs,$(1),\ + -L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib \ + -lnssutil3 \ +) +endif + +endef + define gb_ExternalProject__use_nss3 $(call gb_ExternalProject_use_package,$(1),nss) diff --git a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk index 021ab8dbe99f..083edf36dbe7 100644 --- a/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk +++ b/xmlsecurity/CppunitTest_xmlsecurity_pdfsigning.mk @@ -34,6 +34,14 @@ $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\ boost_headers \ )) +ifneq ($(OS),WNT) +ifneq (,$(ENABLE_NSS)) +$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_pdfsigning,\ + nssutil3 \ +)) +endif +endif + $(eval $(call gb_CppunitTest_set_include,xmlsecurity_pdfsigning,\ -I$(SRCDIR)/xmlsecurity/inc \ $$(INCLUDE) \ diff --git a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk index 60a21f3944e1..4b3c4787ea73 100644 --- a/xmlsecurity/CppunitTest_xmlsecurity_signing.mk +++ b/xmlsecurity/CppunitTest_xmlsecurity_signing.mk @@ -34,6 +34,14 @@ $(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\ libxml2 \ )) +ifneq ($(OS),WNT) +ifneq (,$(ENABLE_NSS)) +$(eval $(call gb_CppunitTest_use_externals,xmlsecurity_signing,\ + nssutil3 \ +)) +endif +endif + $(eval $(call gb_CppunitTest_set_include,xmlsecurity_signing,\ -I$(SRCDIR)/xmlsecurity/inc \ $$(INCLUDE) \ diff --git a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx index ed97f4b80854..cac4152f94b5 100644 --- a/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx +++ b/xmlsecurity/qa/unit/pdfsigning/pdfsigning.cxx @@ -7,6 +7,10 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#ifndef _WIN32 +#include <secoid.h> +#endif + #include <com/sun/star/xml/crypto/SEInitializer.hpp> #include <com/sun/star/security/DocumentSignatureInformation.hpp> @@ -137,6 +141,18 @@ void PDFSigningTest::setUp() osl::File::copy(aSourceDir + "pkcs11.txt", aTargetDir + "pkcs11.txt"); setenv("MOZILLA_CERTIFICATE_FOLDER", aTargetPath.toUtf8().getStr(), 1); #endif + + uno::Reference<xml::crypto::XSEInitializer> xSEInitializer + = xml::crypto::SEInitializer::create(mxComponentContext); + uno::Reference<xml::crypto::XXMLSecurityContext> xSecurityContext + = xSEInitializer->createSecurityContext(OUString()); +#ifndef _WIN32 +#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE + // policy may disallow using SHA1 for signatures but unit test documents + // have such existing signatures (call this after createSecurityContext!) + NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); +#endif +#endif } std::vector<SignatureInformation> PDFSigningTest::verify(const OUString& rURL, size_t nCount, diff --git a/xmlsecurity/qa/unit/signing/signing.cxx b/xmlsecurity/qa/unit/signing/signing.cxx index b575f59965de..781c555fbd3f 100644 --- a/xmlsecurity/qa/unit/signing/signing.cxx +++ b/xmlsecurity/qa/unit/signing/signing.cxx @@ -14,6 +14,10 @@ #include <type_traits> +#ifndef _WIN32 +#include <secoid.h> +#endif + #include <test/bootstrapfixture.hxx> #include <unotest/macros_test.hxx> #include <test/xmltesttools.hxx> @@ -235,6 +239,13 @@ void SigningTest::setUp() mxDesktop.set(frame::Desktop::create(mxComponentContext)); mxSEInitializer = xml::crypto::SEInitializer::create(mxComponentContext); mxSecurityContext = mxSEInitializer->createSecurityContext(OUString()); +#ifndef _WIN32 +#ifdef NSS_USE_ALG_IN_ANY_SIGNATURE + // policy may disallow using SHA1 for signatures but unit test documents + // have such existing signatures (call this after createSecurityContext!) + NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); +#endif +#endif } void SigningTest::tearDown() |